Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 03:47

General

  • Target

    2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe

  • Size

    2.9MB

  • MD5

    2a41b8df5b88e7e57ad356486e45ae11

  • SHA1

    79c84e0684aefc93c039b7405dbcb3650bc1c0ce

  • SHA256

    a3528d1769254239abf14c2a3271ba710a91d23cadfbce619fba6d99495ede91

  • SHA512

    2b96ea703dea11564816d3067872c7c5ac7c8d692d0b2931e446ab3d2716a48ea90dce65865abc76252bb4ba827b68061ef270b5f4443e7313a74b20d824989f

  • SSDEEP

    49152:lnqLvvJ9Fod/OpY1Jf+YvoVkXrYErnuKlAhUpd01RMEEWIjf5EfdNQmvLc1UGn:ZqjTyop1CrYsuKlAhUpCMEEFjf5YLzjC

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\MultipleSearchReplaceShellExt.dll"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:1232
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.4dots-software.com/multiple-search-replace/?afterinstall=true&version=5.5
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4052
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1ad246f8,0x7ffd1ad24708,0x7ffd1ad24718
        3⤵
          PID:2976
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
          3⤵
            PID:4440
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4456
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
            3⤵
              PID:616
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
              3⤵
                PID:4556
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
                3⤵
                  PID:3676
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
                  3⤵
                    PID:3788
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2156
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
                    3⤵
                      PID:1124
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
                      3⤵
                        PID:2448
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
                        3⤵
                          PID:2184
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
                          3⤵
                            PID:3116
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:388
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:1060

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Program Files (x86)\4dots Software\Multiple Search and Replace\MultipleSearchReplace.exe

                            Filesize

                            958KB

                            MD5

                            52b67d8b4b8d6c1cf8035b88a7f1b3cc

                            SHA1

                            43ffd2bb7ff726b829e040b0f65e3aea08f1ed90

                            SHA256

                            fe66807a5bb7449d8081befd70c58a3ffb85ad70fd05803578c5524c51659f08

                            SHA512

                            04e2f5c9619d8329038028194b91ac5c55e530869380b27e01f0db812d22d9939d2db8f0a374d679bbae0a0adcfff5f9da86bffcdfe469053b3685d8970d14c6

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            e443ee4336fcf13c698b8ab5f3c173d0

                            SHA1

                            9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

                            SHA256

                            79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

                            SHA512

                            cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            56a4f78e21616a6e19da57228569489b

                            SHA1

                            21bfabbfc294d5f2aa1da825c5590d760483bc76

                            SHA256

                            d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

                            SHA512

                            c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                            Filesize

                            96B

                            MD5

                            1e39b9ae0fe45cd48f8abb9c0998ffbc

                            SHA1

                            c30b62cee4b7af1b84263a531d5e73acb0a21874

                            SHA256

                            e7bd2181ff10eacae4eaaa66c217b22409bff14e0a7b89dfbeec8ba0c73dadfb

                            SHA512

                            755f1bb9ed28bccd6823c42a68235941afe274c8703137907a529a33e3c5dc9d3f02c675364dfcbf85c55bb494150aa4eb3f9f3cbcb7bd6bd248bbc36aff7328

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                            Filesize

                            791B

                            MD5

                            d70d09e415587ef2394a5471420d7ebf

                            SHA1

                            c566248b4f3f26bea24038b3d4da0176d1a2cf72

                            SHA256

                            840d2cddff0bc9fca2c21fbd313f0b1cf7fc22713a30bc34f842934c7f170cf7

                            SHA512

                            9ab52b92f53f139ea353f4a1d1aebd52ace1d64b75a5d2d25fd96c865c231f23b4898e86128e4688ea4ad53102aa8807174fee2eb5e2318cf0e0980db55d524e

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            bef4ad931ac5c6beb59a4cc8332eec69

                            SHA1

                            635903f62fac520d2746c4e6c8b7a101b850ca56

                            SHA256

                            b4ce0ed5c03330398ae362c375b13d9e047d3e050aaebb27f37c50852ff34c59

                            SHA512

                            288eb90fbdb13374a0f30f97dd5d8e8714dcd0d69914d3fb448e8243b288d6e497840b79f79e29d362458362f7a94f51921e9aa3c46f54ed93c1819566c3d133

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            b485c1b4f32c0dc86c54679936fc432b

                            SHA1

                            0ad33a057b436630e5126db583cdfab7bdcfb2d9

                            SHA256

                            912187e98fb97133f5cf24936d01c35008eb602ea7e710a70f5f6b0a75b88c65

                            SHA512

                            6035f929ce9b8a26e29503318819bfa2284ffbd0135d60a6523f9916e172947bf8e417fff62f2d12a8e0da8b87cf8ba22f752e410f7196c0df26658c0b3e8e0e

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            10KB

                            MD5

                            07a2faaec7414ac27814f057086eb5d3

                            SHA1

                            d0acf4cfc9271845efd33594cf5993dc7c7f558d

                            SHA256

                            618af14f6b82efa84f438eb239308a69e9219866218913aa6e39f58bd5f38c2c

                            SHA512

                            ba66edb7512424877d950dc39b6cffaf68fb303a8e005b7052f2906985b368790e9d54e7a10dc8e19ea34a0db3c9d9df0386675950dfe24efbcbb436c85c4b7f

                          • C:\Users\Admin\AppData\Local\Temp\nskAC7D.tmp\InstallOptions.dll

                            Filesize

                            14KB

                            MD5

                            8d5a5529462a9ba1ac068ee0502578c7

                            SHA1

                            875e651e302ce0bfc8893f341cf19171fee25ea5

                            SHA256

                            e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

                            SHA512

                            101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

                          • C:\Users\Admin\AppData\Local\Temp\nskAC7D.tmp\NSISAdditionalActionsPage.ini

                            Filesize

                            652B

                            MD5

                            fc0ba3a0e1253b333ea6800fd4232f99

                            SHA1

                            7f2daa9a6167b890a32ee15e28ef025a62a3b5ac

                            SHA256

                            0268497d9e082eff583dbba0b68251857d8585b28833edeaf844ddd17f2175ee

                            SHA512

                            b98fdda2e63b96443899e379a43151d8c6e1baff63a33c8e99deb2c63d358e8e17d36ef8e454b0a23c7149b9a0cdcd0cecea80ca4783153a740d2a58bedc9a8f

                          • C:\Users\Admin\AppData\Local\Temp\nskAC7D.tmp\NSISAdditionalActionsPage.ini

                            Filesize

                            578B

                            MD5

                            7b9b7c8a97c1afdd562bd9cfa82c2be6

                            SHA1

                            cf1a6d6c630d2a80a94f40ad1cc617e16c3aad5c

                            SHA256

                            0654e9d3880d9ff6b693b4ba1ce531cb81e2c0039e9d5ec9daf2531d313f3ba1

                            SHA512

                            2afada6aaf33cf78140f666a2a17fa706bea73df2406ccf7767fc3345ba6ed61cc60b4c300313569bdaad0f7ed2767d9b2e9193864dfaa52bc6991c8a4d268d2

                          • C:\Users\Admin\AppData\Local\Temp\nskAC7D.tmp\System.dll

                            Filesize

                            11KB

                            MD5

                            b0c77267f13b2f87c084fd86ef51ccfc

                            SHA1

                            f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

                            SHA256

                            a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

                            SHA512

                            f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

                          • C:\Users\Admin\AppData\Local\Temp\nskAC7D.tmp\modern-wizard.bmp

                            Filesize

                            25KB

                            MD5

                            cbe40fd2b1ec96daedc65da172d90022

                            SHA1

                            366c216220aa4329dff6c485fd0e9b0f4f0a7944

                            SHA256

                            3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

                            SHA512

                            62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

                          • C:\Users\Admin\AppData\Local\Temp\nskAC7D.tmp\nsDialogs.dll

                            Filesize

                            9KB

                            MD5

                            eac1c3707970fe7c71b2d760c34763fa

                            SHA1

                            f275e659ad7798994361f6ccb1481050aba30ff8

                            SHA256

                            062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3

                            SHA512

                            3415bd555cf47407c0ae62be0dbcba7173d2b33a371bf083ce908fc901811adb888b7787d11eb9d99a1a739cbd9d1c66e565db6cd678bdadaf753fbda14ffd09

                          • C:\Windows\system32\MultipleSearchReplaceShellExt.dll

                            Filesize

                            33KB

                            MD5

                            ace9f19e19a07de0fe7e0f1e858a523c

                            SHA1

                            898c63c2f9c32d1148f8618a6f9dee89984a8f9d

                            SHA256

                            7e79de7c3ef68b615e86a732597a8022de71a14d81be4b4978db39a67cfc3d57

                            SHA512

                            a2e32fe5c3652824572f8f1a9a7b145e1c17cb6fbffa52903cffa548f450df89d996b933f95726bb514dfaa16c7d9b2ffa1caedf6ccbf6f1a577b48b0b052ebb